Kubernetes leadership warns of Ingress NGINX risks, but has also hastened its deprecation

The Kubernetes Steering and Security Response Committees has warned about the risks of continuing to run Ingress NGINX, which will receive no security patches from March 2026. “We cannot overstate the severity of this situation or the importance of beginning migration to alternatives,” said an official statement on the matter, though despite the severity, recent offers of help have been rejected as coming too late, and the leadership has pushed for a more rapid deprecation than maintainers wanted.

According to the statement, “roughly 50 percent of cloud native environments currently rely on this tool,” accounting for the strength of the warning, and users may not notice since existing deployments will continue to work and “you may not know you are affected until you are compromised.”

The statement also acknowledged that none of the available alternatives are drop-in replacements and that planning and engineering time is required.

Issues with lack of maintainers and contributors for the open-source Ingress NGINX have been known for some time, but came to a head at the KubeCon event in Atlanta, USA in November 2025. At a session titled “To InGate and beyond Ingress-nginx” maintainers James Strong and Marco Ebert announced the cessation of development effort on both Ingress NGINX and InGate, which was originally intended to be its successor. The first slide at the presentation stated, “Not the title you expected.”